Monday, February 15, 2010

Coordinating Efforts In Cyber Security

I have truly never seen a security initiative quite as interesting and massive as the cyber security effort as it relates to Smart Grid. The more I peel back the layers, the more I discover how massive the effort is.

Just a few days ago I was invited to attend a meeting of the American Bar Association (yes, the lawyer group), and the entire meeting (2 full days) is packed with presentation after presentation and working groups dedicated to cyber security. Yes! You heard that right. Lawyers are interested in understanding cyber security on a very detailed level. Fascinating!

I have spoken to utility companies, meter manufacturers, chipmakers, HSM vendors, cypto stack vendors, regulatory bodies...the list goes on and on and on. Everyone is contributing something to the effort of fighting the current cyber war we are all involved in. do not think we are at war? Well please reconsider. We may indeed be at somewhat of a stalemate at times, or even in a cold war, but we are indeed at war. The enemy is constantly hard at work trying to find new ways to break into our vast cyber network, and on every level you can imagine. It ranges from Aunt Judy's Facebook page all the way to our Missile Defense system, and the attackers are RELENTLESS (and also have a lot of fun doing what they are doing).

But enough fear mongering for now. We, as humans, are completely used to being vulnerable. We fashion synthetic skins from cloth and the pelts of animals to protect ourselves from freezing to death. If we no longer had clothing WE WOULD DIE! OH MY GOD! WE MUST PROTECT OUR TEXTILE INDUSTRY!!!!

You see how ridiculous hyperbole can get...time to switch to decaf.

Being subject to attack is something we are well aware of and we have simply coordinated our efforts to a level where we all understand what it is going to take to protect ourselves from bad things. We invent penicillin to prevent ourselves from bacterial infections, and we coordinate efforts to get it into the hands of all who need it. We make vaccines to stop the spread of deadly flu. We organize our defenses to prevent the bad guys from breaking down our walls and fortresses.

We all have a pretty good idea of how and when to coordinate efforts to keep ourselves protected, and we make improvements along the way. That is what we do.

Fast forward to Smart Grid security. The exploding cyber security industry as it relates to Smart Grid seemed to come out of nowhere. Sure, I was talking about it 2 years ago with some vendors, but it wasn't until quite recently that it became an area of more intense focus with nearly every technology company in existence (and those who are not in the game yet will be in soon). I have to say that I began seeing more activity happen in this area after the 60 Minutes episode on cyber security, where they showed a transformer (I believe it was a transformer) being destroyed remotely by a simulated cyber attack. Even I, who has worked in security long enough to know that there are A LOT of unresolved security issues in this world, was taken aback by this proof of concept.

Nonetheless, the troops went into action. We are now seeing a massive land grab as everyone in the world of security reaches for their piece of the pie, and many come up with big handfuls of job security as a result. I was talking to a cyber security engineer a few days ago who told me that he was out of work 2 years before landing a sweet job working for a utility. My own company was stagnating for the last 2 years as well, despite having worked on some very large security projects. In fact, we started writing iPhone applications as a side job, and were brought back into security because of Smart Grid. It is a huge project with a dire need for security expertise on EVERY level imaginable. Definitely some promising times for the cyber warriors of the world.

Yet I see some issues popping up that I believe are indeed quite counterintuitive to meeting this war with the extreme sense of urgency it deserves. One clear obstacle to cyber security excellence is our woefully luddite government (in the USA). They make no bones about the fact that they are bordering on the dark ages where it comes to providing expertise on cyber security. They are damn good at providing expertise on blowing things up, rebuilding them, and blowing things up again, but the only asset the government can contribute to the cyber security effort at this point is $$$$$$$...and they are...billions of $$$$ in fact.

Where the government becomes a bit of an issue and perhaps a bit of a hindrance is in the effort to mandate standards for cyber security. This is where things begin to get a bit annoying. Although NIST is hard at work at finalizing NISTIR 7628, and NERC is hard at work building a nice compendium of auditing documents for cyber security, and the CPUC is hard at work scoping their Smart Grid security initiatives, nobody can tell you what the COMPLETE rules of the game are at this point. Anyone who claims to know all the rules of the game is lying, because the rules are still being written as we speak.

So what rules are the players following in the absence of a coordinated set of rules from up above? Well, I can tell you that California is indeed following (to a degree) its own rules regarding privacy as it relates to Smart Grid (SB 1386), since California law requires privacy protection. I can tell you with certainty that there are a lot of VERY smart minds from the private sector working very hard to make sure that they can build the best security with the resources they are given, and that the resources are definitely getting better (albeit slowly). I can tell you that the guys I talked to at the major utility company are being funded by the utility to do some absolutely brilliant work, and that the cyber security engineer at one of the meter manufacturing companies that the utility sources meters from has some absolutely great ideas about what it would take to improve security. I can tell you that the utility guys would love to let their vendors know what they believe would be beneficial on the front lines.

Ahhhh...that is where things get a bit unraveled. Imaging my surprise when I spoke to the utility company cyber security guys and they told me they have never met or spoken to the cyber security architect at the meter company. What the ????

Lets get back to my original assertion. We are at war. Sure, we see no blood and body parts flying (ala Saving Private Ryan), but we must accept the fact that the warriors have, to a degree, laid down their rifles and booted up their laptops, and the pending cyber battles are going to take out a lot more troops than any rail gun ever could. While guerilla warfare tactics are indeed effective, a coordinated battle effort generally wins in the end. A mixture of both is perhaps the most effective, but only in the sense that the guerilla warriors are on the same page as the well regulated troops, AND (this is the big point) that we eliminate redundancy and activities that cause a regression in the efforts. If I, as an intelligence officer, decide that a great strategic tactic is to befriend an enemy and gather information, and manage to get a few cups of coffee, some cold beers, and perhaps a nice meal with the enemy in my effort to butter him up, it is rather annoying if the guerilla warrior decides to put a bullet in his head because he has a clear shot.

As a security professional who is interested in helping the cause, I constantly run into two very different scenarios. The first scenario is the fortress of silence and dismissiveness that many (but not all) of the players in cyber security put up when I try to get some information that would help me do my job better. The second is when I reach the guy (or gal) at the organization that truly cares about security and truly understands the need for teamwork, and appreciates those of us who have fought on the front lines of the ongoing security battle, who CLEARLY see the enemy for what he is...A PEER! No, I am not talking about the REAL enemy (the guy at the top of the food chain), I am talking about the security expert the guy at the top of the food chain has hired to do his bidding.

I am unsure of how coordinated the efforts of the bad guys are at this point. I am assuming it is fairly good because hackers seem to love collaborating (take BlackHat, for instance), and I am also assuming it is going to get better as the bad guys start getting better funding.

So are we going to take a cue from that...or are we going to continue setting up our own battle fronts as we wait from the orders from above?

No comments: